Page tree
Skip to end of metadata
Go to start of metadata
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 112 rates

GREYDiscussion points on the review and cleanup of JAAS usage.GREY

Rationale

Our JAAS integration introduces some confusion and seems to bite its own tail.

On one hand, LoginModule have to be written specifically with Magnolia in mind (which sort of contradicts the idea of JAAS), and on the other, by looking at our own LoginModule, developers tend to also implement their own UserManager. In theory, both of these are independant; in practice, with a little effort on our side, we might be able to suppress the need for a specific LoginModule implementation, and provide 3rd party authentication by only implementing a UserManager. To investigate:

  • Generalize our JCRAuthenticationModule (and name it better - it does nothing with JCR anymore)
  • let it delegate to all known UserManagers (DelegatingUserManager) - 1) do you know this user - we'd need to move the actual password matching to the UserManager (or an associated class)

Additional confusion is brought in by our concept of "realm". In Magnolia's internal user management, this really just reflects the folder into which users are stored. When 3rd party authentication comes in the picture, what does it reflect ? Within the domain JAAS or app-server login configuration, "realm" is often understood as "application", really. If you look at our sample jaas.config file, that's what it is: "<name used by application to refer to this entry>", which is how this is documented: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.html

Additional confusion is brought by our skip_on_previous_success option, which makes the comprehension of a jaas configuration much more complex: it contradicts or inhibits the usage of some combinations of flags ("requisite", "required", "optional", "sufficient") between modules.

After discussions at a customers, these ideas also came out, which should be investigated:

  1. Add a 3rd out-of-the-box LoginHandler: JaasLoginHandler which could pull the credentials out of Jaas at container level (it seems this is possible? but maybe is a jboss-specific thing) - if the user is already logged in against the container
  2. Have a generic Jaas LoginModule which can poke the UserManagers using the credentials above.

Also to be investigated / rethought :

  • Can we really benefit from JAAS? Do we use it the right way ?
  • What does it bring us ? If custom/3rd party authentication LoginModules can't be plugged-in as-is without being written specifically for Magnolia, do we really want to keep it ?
  • Is there a more valuable alternative ?

1 Comment

  1. If we ever consider this, I would suggest moving towards Shiro: http://shiro.apache.org/